forged email headers

Housesit · #1 (**permalink**) 11-20-2003, 07:39 PM

How does a small business go about stopping someone in China sending out bulk spam email messages with forged email headers so the bounced returns come to us and not them. Apart from the annoying clogging of our email, the many messages that don't bounce give us a bad name as the recipients (and AOL, etc) all think these messages came from our domain name. Simply blocking the receipt of these bounced messages would not solve the second part of the problem.
A nice person at "Spam abuse" Yahoo! tried to help in general terms along the lines that they discourage it by threatening legal action etc. That's okay for the big boys but a lot of us "internet pros" are still too small.
Thanks, Danny

antkneetag · #2 (**permalink**) 11-21-2003, 12:00 PM

I had this exact thing happen to me.

I have my email set to receive anything@. I started getting a bunch of "Undeliverable and Failure" notices in my inbox. I started out quite bewildered. I DID NOT SEND THESE! After quite a bit of searching spam regs, I found the FTC (Federal Trade Commission) website with a complaint form < https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01 > and email < mailto:UCE@FTC.GOV > to forward spam to.

I only received about 65 of these and fowarded all of them, and then it stopped. So, did the FTC take care of this spammer? Not sure. But, the emails have stopped.

Hope this helps you.

Weedy Lady · #3 (**permalink**) 11-21-2003, 12:06 PM

I am having the same problem. In fact, yesterday I received a bunch of "can't deliver" messages, all with AOL addresses. I am concerned that AOL will put a permanent block on my doman e mail address and there seems to be no way to contact them to rectify their actions. Another concern is that people will report me as a spammer to my hosting company and my site will be shut down. This happened to a friend of mine and it took her a while to convince the hosting company to get her up and running again.
Any help that anyone out there can give will be most appreciated.

adverte · #4 (**permalink**) 11-21-2003, 12:44 PM

Well, unfortunately there is not a lot you can do in your case. What has happened is someone has randomly grabbed your hostname (i.e. www.HouseIT.com) and used it to mask there fake IP address. It is referred to as spoofing. They use some sort of computer program to randomly generate fake email addresses and send out Spam to a list of people - through rented or randomly generated lists that they have found by crawling the web. You will notice that all the email addresses they have used are fake (i.e. yz_suzy@HouseIT.com). You have set up some "catch all" emails on your side, so when the message to an unknown user on one mail server gets bounced back, it goes to your mail box instead of the nonexistent yz_suzy@HouseIT.com mailbox.

The good side to all of this is that they are using an IP address to send these messages out, not really your Hostname. So, although you see it as them sending mail from your machine, more or less, they actually aren't. The FTC, AOL, or whomeever looking into such matter knows that it doesn't come from your machine, and knows that the entire thing is "spoofed" from a software that is creating this spam.

The bad side is that as a business owner, your name is being seen by hundreds of thousands of internet users as someone sending spam. However, the chances of them A) remembering and B) Being in your target audience in the first place are as random as it gets.

Eventually, the spammer will move on...and make his way to another victim as to remain mobile from the forces of Internet Security, etc. In the meantime, turn off your "catch all" on your email account, and wait for those rewarding emails coming in to your established name and accounts :)

Regards,
Jaret

georgekwong · #5 (**permalink**) 11-22-2003, 03:09 AM

Outside US such as where we are in Hong Kong, the problem is a lot worst. In this geographic region, there are only a few ISP available here so that someone spoofing your domain would have a good chance be spoofing using a similar IP address since it is less common for people to use a fixed IP address. This is particular true in dense population area if the "spoofer" used a dial-up. Because a lot of companies and user actually has no choice but to use SMTP server from ISP that provides the internet access versus the ISP that host the domain and web site, it makes it almost non-distinguishable for anyone to trace the real origins of these spammer. I believe that the absence of authentication in the SMTP protocol caused this problem.

Just a few months ago, I had all our emails bounce back from one of our customer because our customer's email filter companies black list all the email coming from a set of IP address that happens to be servers from one of the largest ISP in our region. I end up had to communicate by fax only and the email filter companies refused to open the block from our domain up until now as they can't tell if we are a spammer. I later discover that we had only a 1/4 chances for all the ISP that I can pick for our access to be black list from someone aboard. I think that the answer may be in the future when some better SMTP protocol that forces the use of authenication technology to distinguish real people from fake users.

Regards, George.

TrafficProducer · #6 (**permalink**) 11-22-2003, 06:01 AM

Take care with Returned emails.

I've recieved a few which have a Virus file attached.

This is a ploy, on the following lines:-

Looking in your InBox you find returned undelivered emails.

You open them to find out which emails failed to get through.

If you open the attachment your compter gets the virus.

Weedy Lady · #7 (**permalink**) 12-03-2003, 05:24 PM

This is my second posting on this subject: I finally got through to a real person this morning at my web hosting company, and found out that THEY had added a new script with a vulnerability which allowed spammers to actually use my web site to send spam. At my request they removed this script. Now, hopefully the dozens of bouncebacks I've been getting from this spam mail will cease.
I tried the earlier suggestions on this topic of forwarding the bounce backs to the FTC, and also to Spam Cop, but nothing seemed to help. If I hadn't talked to a real person at the web host I may have been permanently shut off by everyone (AOL threatened to shut me off, and I called and talked to them about it).
I've had a lot of drops from my newsletter mailing list lately, and I'm sure it was due to this "mistake" on the part of my hosting company.
SOoooo to make a long message short, if you are having problems with spammers, do call your hosting company and insist that they check their scripts for vulnerability.
And yes, this hosting company was highly recommended by a friend whose son is a supreme hacker and stated that they are very, very secure. So, there....one never know for sure, does one?

gerhard · #8 (**permalink**) 12-29-2003, 12:11 PM

For about 2 weeks I'm getting notices for undelivered emails. The problem is, I didnt send those emails. It always shows as sender a persons name with my email address in <> behind it. The message usually is for Viagra, etc......

I could simply delete this email address, but I'm a little ticked off and would like to pursue this issue. (not the Viagra).

Any idea what my nxt step should be......

Pls help

bubbasmurf · #9 (**permalink**) 12-29-2003, 12:53 PM

I would send a copy of one of the e-mails to my Internet provider asp so they could look into the matter.

leus · #10 (**permalink**) 01-02-2004, 04:07 PM

First step:
Run an updated Ativirus program.
Regards

matauri · #11 (**permalink**) 01-02-2004, 11:17 PM

This is because these companies spoof your email address. We all know that spammers harvest email addresses, well, some are more than cocky to get past blocking & filters...they use these harvested addresses in the 'from' line. Consequently you are getting email back as undelivered, they are bouncing back to the email account it 'says' it comes from.

Unfortunately, its just one of those things.

The only suggestion I can make is that for any email address you have on the net, make it a web based email account (yahoo, hotmail, etc). That way at least if people are getting emails from you, they are getting a free for all email account, which many associate with spam anyway.

I get these same return emails. I dont get spam, because I manage my email accounts well. But, these undesirables have in the past gotten hold of one of my email addies from long ago, and they just keep reselling these lists around.

Contacting your ISP is an avenue for reducing your spam. But once these spammers have your email address, I am pretty sure there is nothing you can do to stop them using it in the 'from' field to get past email filters.

If anyone does know a way, I know I would be interested in knowing it too.

Cindy

mikmik · #12 (**permalink**) 01-03-2004, 01:52 AM

I see that Matauri has covered one of the possible causes of spam, but aren't the harvesters looking for address to spam to?
In any event, leus wrote:

Quote:

First step:
Run an updated Ativirus program.
Regards

.
Yes, "Worms" and blended threats are becoming the tool off choice for spammers these days, what happens these days is that a worm, which is a part virus, paot trojan and either has an SMTP server built into it, or uses the PC's own e-mail client.

In a nutshell, something has invaded your computer ans is using you to spam people!

Did you know that 50% of all e-mail on the net is now spam? Now for the scary part, 33%
of all home computers have been 'recruited' and are actively involved in spamming?
The people behind this are hiding behind 'spoofed' (made up) and stolen (by the process I described) e'mail address so that they are very difficult to find, if not impossible.
You must scan your computer, and you must delete the account, because you are now a spammer, and it doesn't matter that it is not your fault - initially anyways. But now that you are aware of what is going on, I encourage you to stop it, but I am not giving you heck in any way, you haven't done intentional spamming or realized what the repurcussions could be.

Here is a page that will show you haw to get the information from your email headers, and answer all kinds of questions you may have. It is geared towards stopping from being spammed but the info is relevent, and it tell you what could happen to you if you do not stop your system sending!

THIS JUST IN!! I was going to address Matauri's point about spambots harvesting e-mail addresses when I just now found this page, on this excellent site (I cannot go on the internet lately without finding these wicked sites everywhere!)

which explains several ways to protect your websites. Looks like I got a good answer for you here : STOP SPAM BOTS? http://www.bestprac.org/articles/index.htm

and this just about covers everything else, an article from pcmag called "Heading Off Spam" : http://www.pcmag.com/article2/0,4149,940319,00.asp
Finally, this blog has some good info for protecting your blogs on top of your website ; http://www.metafilter.com/mefi/29649

Oh - BOY :o)

mikmik · #13 (**permalink**) 01-03-2004, 02:13 AM

It just keeps getting better and better!

A whole galaxy of info, resources, tutorials,...
http://www.sitetamer.com/strads/spam/

matauri · #14 (**permalink**) 01-03-2004, 03:25 AM

Quote:

Originally Posted by Mik

I see that Matauri has covered one of the possible causes of spam, but aren't the harvesters looking for address to spam to?

Yup, and they are using it the other end too now Mik, a lot. They are using the harvested email addresses & putting them in the 'from' field to fool email filters, etc.

Cindy

leus · #15 (**permalink**) 01-03-2004, 03:17 PM

1.-I absolutely agree with all you.
2.-I am guessing is a virus or worm of
the type W32/mimail family that copies
your email addresses and uses its own engine to send emails.
So I hope that if you run your
antivirus program you can tell us what is the name of the worm and if your antivirus does not remove the worm, I can direct you to the sites where you can download a specific tool to remove it.
Give us more info of your Operating System you are using (Windows98/ME or XP)
Regards

mikmik · #16 (**permalink**) 01-03-2004, 04:38 PM

leus, this Is what I'm thinking as well !:

Quote:

I am guessing is a virus or worm of
the type W32/mimail family that copies
your email addresses and uses its own engine to send emails.

These guys are getting pretty nasty these days, eh? It's not like you can shut them down in task manager either, if you don't know what you doing ahead of time, they reboot the OS before you can get to any serious reg editing!

I have had two people now that we had to completely reformat and rebuild the MBR on one,( although I think that was my fault lol) because we could not even use safe mode, scan from the command console, or even get an online started.

I just want people to know that there is getting to be big money behind some of these internet attacks and spamming, and identity theifs are using some extremely sophisticated stuff to con people because they are already inside their comuters! and can run spoofed Paypal and eBay site etc claiming to need "credit card number' for validation and such.

It is now a fact of life that these types are at war with the people who try to stop them: Govt. sites, and Anti-virus companies, network security firms, and all else. This is not kid stuff anymore when seasoned techs can't even debug their own machine, and DDoS's are being carried out thousands of times a week against Internet service providers and corporate giants of technology.

It is just something ti keep in mind next time you try to sign in to hotmail, or go to a big site and there are problems with it or it is down. It is not only hurting yourself by slowing your own computer to a crawl, they are stealing lives( identities) and disrupting daily life for all of us, and there is a lot of anger around sometimes about people not being vigilant. I do not agree one bit with anymore (I used to be a snob sniff lol) but is just a measure of what is going on.

I am busier doing tech work now than I ever have been
, it just seems way different than it was even nine months ago.

I am overreacting mayhaps just a bit, but is something to be aware of all the time now, and gerhard, people have lost their service and the right to have accounts on providers just because they were being used as the scource unknowingly.

Well, that's my typing lesson for today!
And I want to stress again that gerhard is A OK with me, I am just spouting off, but I'am happy for you to post this here so we could all help and learn!

Hey, we might've been the first to report something last week, although trendmicro never sent a reply so ..I am still interested to find out your Windows version and see how this goes.
Yhanks gerhard :)

leus · #17 (**permalink**) 01-03-2004, 06:23 PM

If you don´t find any virus then
Metauri is absolutely right.
here is what the experts from University of Michigan say:
If your name is forged as the sender of the spam,
this does not mean that your account has been compromised.
The email is not sent from your account; instead, it is sent forged in your name.
Here you can find advices and the whole explanation from the Univeristy of Michigan.
http://www.itd.umich.edu/virusbuster...spam.htmRegrds

leus · #18 (**permalink**) 01-03-2004, 06:29 PM

Excuse me there is a typo on the URL
the correct URL is
www.itd.umich.edu/virusbusters/forged_spam.html

leus · #19 (**permalink**) 01-03-2004, 06:42 PM

Excuse me the correct link is:

www.itd.umich.edu/virusbusters/forged_spam.html

leus · #20 (**permalink**) 01-04-2004, 04:07 AM

I ve found more info. go to
http://www.fmp.com/spam_patrol/

Select Tracking (the red buttom)
Select locating system administrator
There you will find How to to contact the mail or abuse administrator of the system
on which the mail originated or of the system which was used to relay the spam - or both.
What tools are available to find out if a domain is registered with the InterNIC.
How to contact the Network Abuse Clearinghouse
to reach the appropriate system admins on systems involved in spam.
Regards and good luck.

matauri · #21 (**permalink**) 01-04-2004, 11:44 AM

I have merged a couple of topic threads here because they seem to be discussing the same subject. This way people wont have to double post ideas, and both threads can benefit from the same information, as this is an annoying practice that is ovbiously affecting many.

Cindy

mikmik · #22 (**permalink**) 01-04-2004, 08:07 PM

Thanks, mat. It helps me already, I wasn't as aware of this form of spoofing so much until you opened my eyes and with these links :O)